CVE-2026-58480 in Blocksy Companion Pro Plugin
Summary
by MITRE • 07/08/2026
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the save_attachments function exposed through the Advanced Reviews feature. Attackers can exploit the Custom Fonts extension's flawed strpos() substring check by uploading double-extension filenames such as shell.woff2.php, causing the validation to pass on the substring match while the web server executes the file as PHP, achieving remote code execution.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The Blocksy Companion Pro plugin for WordPress represents a popular theme customization tool that enhances website functionality through various extensions and features. This particular vulnerability affects versions prior to 2.1.47 and demonstrates a critical security flaw within the plugin's file upload mechanism. The vulnerability exists within the save_attachments function which is exposed through the Advanced Reviews feature, creating an attack surface that allows unauthenticated remote attackers to execute arbitrary code on affected systems.
The technical implementation of this vulnerability stems from a flawed validation mechanism that relies on the strpos() function for checking file extensions. This approach creates a fundamental security weakness because it performs substring matching rather than comprehensive extension validation. When attackers upload files with double-extension filenames such as shell.woff2.php, the validation logic incorrectly passes the check since the substring "woff2" is found within the filename, while the actual executable portion remains hidden in the latter part of the filename. This bypass technique exploits a common pattern in web application security where simple string matching fails to properly validate file types.
The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with complete control over affected WordPress installations. Once successful, attackers can execute arbitrary code on the web server, potentially leading to full system compromise, data exfiltration, and persistent backdoor installation. The vulnerability affects not just individual websites but entire hosting environments where multiple WordPress installations may be running the vulnerable plugin version. This creates a cascading security risk that can propagate across multiple sites hosted on the same infrastructure.
Security professionals should note this vulnerability aligns with CWE-434 which describes "Unrestricted Upload of File with Dangerous Type" and demonstrates characteristics consistent with ATT&CK technique T1505.003 for "Web Shell." The flaw represents a classic case of inadequate input validation where the system trust model is violated through improper file extension handling. Organizations should immediately update to Blocksy Companion Pro version 2.1.47 or later, as this release includes proper file extension validation that prevents the bypass mechanism. Additionally, implementing web application firewalls with content inspection capabilities and monitoring for suspicious file upload patterns can provide additional defense in depth measures against similar vulnerabilities.
The broader implications of this vulnerability highlight the importance of robust file validation mechanisms in web applications and demonstrate how seemingly minor implementation flaws can create critical security risks. This case study emphasizes that substring matching operations should never be used as primary validation methods for file type checking, particularly in contexts where user-supplied input can lead to code execution. System administrators should also consider implementing automated vulnerability scanning tools that can detect such misconfigurations and monitor for exploitation attempts targeting known vulnerable plugin versions across their networks.